Labs XLab and Synthient have exposed the operations of one of the largest and most stealthy botnets — Kimwolf, whose "tentacles" have penetrated millions of living rooms worldwide. Its network encompasses between 1.8 and over 2 million Android TV boxes, transformed into a covert infrastructure for cyberattacks.
The Root of the Problem is the market of ultra-budget, no-name devices. These boxes, sold under hundreds of random brands, often come pre-installed with malware right off the assembly line. By connecting the box to their TV, a user unknowingly invites a Trojan into their home network.
What the Botnet Does:
Large-Scale DDoS Attacks — infected devices relayed approximately 1.7 billion commands in just 72 hours.
Creating Residential Proxies — your home IP address becomes a commodity. It is "rented out" to third parties for bypassing blocks, click fraud, credential stuffing from leaked databases, and other hidden operations.
Multi-Layered Monetization — ranging from the silent installation of apps to orchestrating spam campaigns.
The Infection Mechanism is hidden within the pre-installed software on over 1,000 models of "gray" TV boxes. Part of Kimwolf's infrastructure overlaps with another known botnet, Aisuru, pointing to a possible shared developer team. For resilience, its operators use ENS (Ethereum Name Service) records, allowing them to instantly redirect command-and-control servers while remaining in the shadows.
What Does This Mean for the Owner of Such a Box?
Your internet connection could be used to launch cyberattacks on third-party resources, and your IP address could appear in fraud investigations. The device will operate in the background, consuming traffic and resources, and you will likely never know.
The Researchers' Recommendation is Unequivocal:
If your TV box is a no-name "noname" from a dubious marketplace, receives no updates, and seems like a "lottery ticket," the safest course is to immediately disconnect it from the internet. The only reliable solution is to replace it with a device from a reputable manufacturer that provides regular security updates.
Thanks for the successful jackpotting